aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: add http.header.raw sticky buffer keyword

Browse Source 
Add parsing tests as well.
pull/3632/head
Victor Julien 7 years ago
parent 76fd666cad
commit 645acb1089
3 changed files with 70 additions and 0 deletions
Show Stats Download Patch File Download Diff File

1
src/detect-engine-register.h
Unescape Escape View File

@ -131,6 +131,7 @@ enum {
DETECT_AL_HTTP_HEADER_CONTENT_TYPE, DETECT_AL_HTTP_HEADER_CONTENT_TYPE,
DETECT_AL_HTTP_HEADER_REFERER, DETECT_AL_HTTP_HEADER_REFERER,
DETECT_AL_HTTP_RAW_HEADER, DETECT_AL_HTTP_RAW_HEADER,
DETECT_HTTP_RAW_HEADER,
DETECT_AL_HTTP_URI, DETECT_AL_HTTP_URI,
DETECT_HTTP_URI, DETECT_HTTP_URI,
DETECT_HTTP_URI_RAW, DETECT_HTTP_URI_RAW,

29
src/detect-http-raw-header.c
Unescape Escape View File

@ -53,6 +53,7 @@
#include "detect-http-raw-header.h" #include "detect-http-raw-header.h"
static int DetectHttpRawHeaderSetup(DetectEngineCtx *, Signature *, const char *); static int DetectHttpRawHeaderSetup(DetectEngineCtx *, Signature *, const char *);
static int DetectHttpRawHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str);
#ifdef UNITTESTS #ifdef UNITTESTS
static void DetectHttpRawHeaderRegisterTests(void); static void DetectHttpRawHeaderRegisterTests(void);
#endif #endif
@ -74,12 +75,22 @@ static int PrefilterMpmHttpHeaderRawResponseRegister(DetectEngineCtx *de_ctx,
*/ */
void DetectHttpRawHeaderRegister(void) void DetectHttpRawHeaderRegister(void)
{ {
/* http_raw_header content modifier */
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].name = "http_raw_header"; sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].name = "http_raw_header";
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetup; sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetup;
#ifdef UNITTESTS #ifdef UNITTESTS
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].RegisterTests = DetectHttpRawHeaderRegisterTests; sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].RegisterTests = DetectHttpRawHeaderRegisterTests;
#endif #endif
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT; sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_AL_HTTP_RAW_HEADER].alternative = DETECT_HTTP_RAW_HEADER;
/* http.header.raw sticky buffer */
sigmatch_table[DETECT_HTTP_RAW_HEADER].name = "http.header.raw";
sigmatch_table[DETECT_HTTP_RAW_HEADER].desc = "sticky buffer to match the raw HTTP header buffer";
sigmatch_table[DETECT_HTTP_RAW_HEADER].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-raw-header";
sigmatch_table[DETECT_HTTP_RAW_HEADER].Setup = DetectHttpRawHeaderSetupSticky;
sigmatch_table[DETECT_HTTP_RAW_HEADER].flags |= SIGMATCH_NOOPT;
sigmatch_table[DETECT_HTTP_RAW_HEADER].flags |= SIGMATCH_INFO_STICKY_BUFFER;
DetectAppLayerInspectEngineRegister2("http_raw_header", ALPROTO_HTTP, DetectAppLayerInspectEngineRegister2("http_raw_header", ALPROTO_HTTP,
SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS+1, SIG_FLAG_TOSERVER, HTP_REQUEST_HEADERS+1,
@ -125,6 +136,24 @@ int DetectHttpRawHeaderSetup(DetectEngineCtx *de_ctx, Signature *s, const char *
ALPROTO_HTTP); ALPROTO_HTTP);
} }
/**
* \brief this function setup the http.header.raw keyword used in the rule
*
* \param de_ctx Pointer to the Detection Engine Context
* \param s Pointer to the Signature to which the current keyword belongs
* \param str Should hold an empty string always
*
* \retval 0 On success
*/
static int DetectHttpRawHeaderSetupSticky(DetectEngineCtx *de_ctx, Signature *s, const char *str)
{
if (DetectBufferSetActiveList(s, g_http_raw_header_buffer_id) < 0)
return -1;
if (DetectSignatureSetAppProto(s, ALPROTO_HTTP) < 0)
return -1;
return 0;
}
static _Bool DetectHttpRawHeaderValidateCallback(const Signature *s, const char **sigerror) static _Bool DetectHttpRawHeaderValidateCallback(const Signature *s, const char **sigerror)
{ {
if ((s->flags & (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) { if ((s->flags & (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) == (SIG_FLAG_TOCLIENT|SIG_FLAG_TOSERVER)) {

40
src/tests/detect-http-raw-header.c
Unescape Escape View File

@ -54,6 +54,41 @@
#ifdef UNITTESTS #ifdef UNITTESTS
/**
* \test Test parser accepting valid rules and rejecting invalid rules
*/
static int DetectHttpRawHeaderParserTest01(void)
{
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; http_raw_header; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; nocase; http_raw_header; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; endswith; http_raw_header; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; http_raw_header; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; startswith; endswith; http_raw_header; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; content:\"abc\"; rawbytes; http_raw_header; sid:1;)", false));
FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http_raw_header; sid:1;)", false));
FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; content:\"abc\"; http_raw_header; sid:1;)", false));
PASS;
}
/**
* \test Test parser accepting valid rules and rejecting invalid rules
*/
static int DetectHttpRawHeaderParserTest02(void)
{
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; nocase; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; endswith; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; startswith; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; startswith; endswith; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; bsize:10; sid:1;)", true));
FAIL_IF_NOT(UTHParseSignature("alert http any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; rawbytes; sid:1;)", false));
FAIL_IF_NOT(UTHParseSignature("alert tcp any any -> any any (flow:to_server; http.header.raw; sid:1;)", false));
FAIL_IF_NOT(UTHParseSignature("alert tls any any -> any any (flow:to_server; http.header.raw; content:\"abc\"; sid:1;)", false));
PASS;
}
/** /**
*\test Test that the http_header content matches against a http request *\test Test that the http_header content matches against a http request
* which holds the content. * which holds the content.
@ -4480,6 +4515,11 @@ static int DetectHttpRawHeaderIsdataatParseTest(void)
void DetectHttpRawHeaderRegisterTests(void) void DetectHttpRawHeaderRegisterTests(void)
{ {
UtRegisterTest("DetectHttpRawHeaderParserTest01",
DetectHttpRawHeaderParserTest01);
UtRegisterTest("DetectHttpRawHeaderParserTest02",
DetectHttpRawHeaderParserTest02);
UtRegisterTest("DetectEngineHttpRawHeaderTest01", UtRegisterTest("DetectEngineHttpRawHeaderTest01",
DetectEngineHttpRawHeaderTest01); DetectEngineHttpRawHeaderTest01);
UtRegisterTest("DetectEngineHttpRawHeaderTest02", UtRegisterTest("DetectEngineHttpRawHeaderTest02",

Write Preview
Loading…
Cancel
Save